Do not verify nonce in access and refresh tokens (only id tokens) (#26891)

Closes #26651

Signed-off-by: Grzegorz Grzybek <gr.grzybek@gmail.com>
This commit is contained in:
Grzegorz Grzybek
2024-02-08 13:19:32 +01:00
committed by GitHub
parent edd68d12fb
commit a95894dbad

View File

@@ -802,10 +802,7 @@ function Keycloak (config) {
setToken(accessToken, refreshToken, idToken, timeLocal);
if (useNonce && ((kc.tokenParsed && kc.tokenParsed.nonce != oauth.storedNonce) ||
(kc.refreshTokenParsed && kc.refreshTokenParsed.nonce != oauth.storedNonce) ||
(kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce))) {
if (useNonce && (kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce)) {
logInfo('[KEYCLOAK] Invalid nonce, clearing token');
kc.clearToken();
promise && promise.setError();